This tutorial is currently not available in Python. Choose another language.

Introduction

Most data breaches are actually caused by password breaches. A password is known as a universal enabler of fraud: most users re-use the same password across all their accounts. Breach it once, use it multiple times. In theory, two-factor authentication & login fraud detection techniques can mitigate password breaches, but in practice they're inconvenient and users don't actually utilize them.

Virgil Security has taken Pythia, designed by Adam Everspaugh and Rahul Chaterjee, University of Wisconsin–Madison; Samuel Scott, University of London; Ari Juels and Thomas Ristenpart, Cornell Tech, and built a cloud service that protects password databases in the most secure way possible.

Breach-proof password - the most cryptographically protected user password. It allows developers to protect their user passwords if the database is stolen or compromised.

Press here to read more about our solution

Problem

In standard password security implementation, passwords are hashed and stored in the user table. Even though hashing is a one-way transformation, there are techniques to reverse engineer them back to the original passwords: rainbow table attacks, brute-force & dictionary attacks.

In advanced password security implementations, a random salt is added to the password before hashing. The problem is that this random salt has to be stored in the user table, so that the login function can verify the password. Obviously this is a security weakness.

Solution

Virgil Security presents Pythia, a new technology that gives you a new, more secure mechanism that "breach-proofs" user passwords and lessens the security risks associated with weak passwords. With Pythia, passwords are no longer the weakest link in your system.

Virgil Pythia protects users' passwords without having to know a user's identity, password or its hash. Virgil Pythia doesn't generate a new user password; it just makes a password cryptographically safer.

Pythia detects online attacks and if Pythia or your user database is compromised, attackers still can't run offline attacks.

You can quickly update a user's breach-proof password in the event someone compromises your database without having to create new user passwords, nor do you need to terminate work of your system.

How it works

A user sends his or her password and login to your Application Server and you identify a user using your own authentication mechanism.

Then you have to pass a user's password or its hash to Pythia SDK.

Pythia SDK blinds a user's password.

Then Pythia SDK sends a request to Pythia Service in order to receive a user's transformed blinded password.

Pythia Service creates a transformed blinded password and sends it to your App Server.

The Pythia SDK de-blinds the transformed blinded password on the App Server and get a deblinded password (breach-proof password).

Then Pythia SDK compares this calculated user's breach-proof password with a value that is stored in your DB.

So, you perform all operations under user's password on your App Server, thus Virgil Pythia protects users' passwords without having to know a user's identity, password or its hash. Pythia SDK blinds and de-blinds users passwords each time a user logs in, and a user won't even know it's happening. Technical details can be found in the Virgil Security Pythia white paper.

Going through the tutorial you find the following expressions:

Parameter

Description

Blinded Password

a user's password that is hidden from Pythia Service with unique random number.

Transformed Blinded Password

a blinded password, protected using Pythia Service data.

Deblinded Password

user's breach-proof password, that is a cryptographically the most protected.

What Virgil provides for developers

Virgil Pythia Service for storing & managing Pythia Application and its parameters.

Virgil Pythia SDK which allows you to easily manage a Crypto Library and communicate with Virgil Services.

Let's get started!

Collect account information

The first thing you need to do is to create Pythia Application on Virgil dashboard and grab all the necessary information to set up your Server side.

You need the following account and application parameters from your dashboard:

Parameters

Description

API Private Key

Unique Private Key for an access to Virgil Services. API Key is used to generate a JWT token and authenticate you at Pythia Service - generate one here.

Install SDK Package

Click here to see complete instructions for SDK installation

Configure SDK

When you create a Pythia Application on the Virgil Dashboard you will receive Application credentials including: Proof Key and App ID. Specify your Pythia Application and Virgil account credentials in a Pythia SDK class instance.

These credentials are used for the following purposes:

generating a JWT token that is used for authorization on the Virgil Services

creating a user's breach-proof password

Here is an example of how to specify your credentials SDK class instance:

# this language is not supported yet.

Create breach-proof passwords

Now, you have to set up your database to store users' breach-proof passwords. Create additional columns in your database for storing the following parameters:

Parameters

Type

Size (bytes)

Description

salt

blob

32

Unique random string that is generated by Pythia SDK for each user

deblindedPassword

blob

384

user's breach-proof password

version

int

4

Version of your Pythia Application credentials. This parameter has the same value for all users unless you generate new Pythia credentials on Virgil Dashboard

Now we can start creating breach-proof passwords for users. Depending on the situation, you will use one of the following Pythia SDK functions:

Create BreachProofPassword is used to create a user's breach-proof password on your Application Server.

Verify BreachProofPassword is used to verify a user's breach-proof password.

Create Breach-Proof Password

Use this flow to create a new breach-proof password for a user.

Remember, if you already have a database with user passwords, you don't have to wait until a user logs in into your system to implement Pythia. You can go through your database and create breach-proof user passwords at any time.

So, in order to create a user's breach-proof password for a new database or available one, go through the following operations:

Take a user's password (or its hash or whatever you use) and pass it into a Create BreachProofPassword function in SDK.

Pythia SDK will blind a password, send a request to Pythia Service to get a transformed blinded password and de-blind the transformed blinded password into a user's deblinded password (breach-proof password).

Check that you updated all database records and delete the now unnecessary column where user passwords were previously stored.

Verify Breach-Proof Password

Use this flow when a user already has his or her own breach-proof password in your database. You will have to pass his or her password into an Verify BreachProofPassword function:

# this language is not supported yet.

The difference between the Verify BreachProofPassword and Create BreachProofPassword functions is that the verification of Pythia Service is optional in Verify BreachProofPassword function, which allows you to achieve maximum performance when processing data. You can turn on a proof step in Verify BreachProofPassword function if you have any suspicions that a user or Pythia Service were compromised.

Request Limits for a user

For the safety of a user's account, the number of requests to Pythia Service that your server can make for one user is limited to 1 request every 2 seconds. Reaching the limit triggers a safeguard, which temporarily suspends the account.

You can send an authentication request again in a few seconds.

Update breach-proof passwords

This step will allow you to use an updateToken in order to update users' breach-proof passwords in your database.